Hacking Wall Street: Reconceptualizing Insider Trading Law for Computer Hacking and Trading Schemes

Abstract

This paper explores how insider trading law addresses computer hackers who employ cyberattacks in connection with the purchase or sale of securities. Current securities law is ill-equipped to deal with such hackers because, unlike the typical defendants in insider trading cases, hackers owe no fiduciary duty to shareholders and no duty of confidentiality to insiders that provide material non-public information. In order to bring hacker-traders within the ambit of federal securities law, the U.S. Securities and Exchange Commission (SEC) developed a novel theory of liability that treats hacking and trading as a form of deception in violation of Section 10(b) of the Securities Exchange Act of 1934. However, the viability of the SEC’s theory remains to be seen as only one decision has endorsed it—SEC v. Dorozhko, 574 F.3d 42 (2d Cir. 2009). This paper argues that, from a normative perspective, the Second Circuit correctly expanded Section 10(b) to hacking and trading. However, this paper takes issue with the Second Circuit's proposition that hacking amounts to deception only when the hacker misrepresents his or her “identity in order to gain access to information that is otherwise off limits, and then steal[s] that information” for purposes of securities trading. Currently, there is little scholarship that thoroughly explores the potential for hackers to use innovative cyberattacks in order to avoid liability for securities fraud. This paper adds to the existing literature by arguing that even if the judiciary were to adopt the SEC’s reconceptualization of insider trading, it is unlikely that the theory would apply to certain sophisticated cybersecurity schemes—such as informed cyber-trading, whereby investors trade “on the basis of advanced knowledge of a cybersecurity breach.” In addition, it is unlikely that Dorozhko would apply to schemes in which a group of hackers short a corporation’s stock and then initiate a cyberattack, such as a distributed denial of service (DDoS) attack, in order to cause a decline in the stock price. Such conduct would not amount to "deceptive hacking" under Dorozhko because even though the hackers masqueraded their identities, they did not do so in order to obtain the type of confidential information typically at issue in illegal insider trading schemes.